Forensic Analysis of Dropbox® Application File Artifacts Recovered on iOS and Android Mobile Devices Sara Treleven, 1* BS , Christopher Vance, 1Marshall the amount of information stored on the device itself, but also the location of the application files used on different operating systems Terry Fenger, 1 PhD , Joshua Brunty, 1 MS , Jenniffer Price, 2 BA University Forensic Science Program, 1401 Forensic Science Dr., Huntington, WV 25701 2Wisconsin Department of Justice, 17 West Main St., Madison WI 53711 Abstract Forensic examination of smartphone mobile devices is hindered not only by 1 BS , Results Discussion and Conclusions Physical Analyzer FTK Dropbox® files stored on the iOS device and on the Android device both showed a similar file structure with all files in their appropriate folders All JPEG images were recovered from both mobile devices Dropbox® was installed on a 4th generation Apple iPod Touch running iOS 5.1.1 and an Android smartphone emulator running Android 2.3.3 to examine the file structure layout and data organization of the application files Microsoft Word and Excel documents were only recovered from the iPod Touch Physical dumps of both file systems were done and analyses took place using Physical Analyzer version 3.0 and FTK version 4.0.2.33 The deleted Microsoft Word document was recovered on the iPod Touch, but the Android emulator did not show any indication of it being stored on Dropbox® File structures of both operating systems were similar; however more user data was able to be recovered from the iOS device. The .MOV video file associated with Dropbox® was unrecoverable from either the iOS or Android mobile devices iOS More pertinent information was recovered on the iOS device than from the Android emulator regarding the user Introduction No record of email addresses associated with the “shared” folder were found Of the world’s almost five billion mobile phones in use, 1.08 billion are smartphones and approximately 100 million of these smartphones are present in the United States alone10 Future studies should be conducted to confirm that Dropbox® application files found on the Android emulator are identical to the Dropbox® files found on an actual Android smartphone Illegal pictures and videos can be taken and distributed within seconds and stored in vast amounts on inconspicuous storage devices that are easily concealed References Dropbox® sharing application available for iOS and Android mobile devices has made the information stored using the app more accessible with each device synched to the user’s account The location of the stored files plays a significant role in forensic analysis as the cloud becomes a larger storage medium than an actual physical hard drive The ability to recover these files quickly and efficiently from mobile devices running different operating systems can help expedite analysts’ casework Table 1. Recovered Dropbox® files and user information from the iOS iPod Touch after analyses with FTK and Physical Analyzer software. Physical Analyzer FTK Materials and Methods Research Devices 4th Gen. iPod Touch with iOS 5.1.1 operating system Dropbox® version 1.5.2 for iOS MacBook Pro with OS X Mountain Lion running an Android emulator with Android 2.3.3 operating system Dropbox® version 2.1.2 for Android Android Forensic Software FTK version 4.0.2.33 Physical Analyzer version 3.0 Standard Research Folder 9 JPG image files 1 Microsoft Word document 1 Microsoft Excel document 1 video (taken and uploaded with iPod Touch) 1 deleted Microsoft Word document 1. Android (operating system) [Internet]. 2012. Wikipedia. [cited 2012 June 5]. Available from: http://en.wikipedia.org/wiki/Android_%28operating_system%29 2. Android Developers. 2012. [Internet]. Android. [cited 2012 June 3]. Available from: http://developer.android.com/index.html 3. Bem, D. 2007. Computer forensic analysis in a virtual environment. International Journal of Digital Evidence 6(2). 4. Beta News. [Internet]. Now Anyone, Not Just Cops With a Warrant Can Peek Inside Your Dropbox®. 2012. [cited 2012 July 24]. Available from: http://betanews.com/2011/06/16/now-anyonenot-just-cops-with-a-warrant-can-peek-inside-your-Dropbox / 5. Digital Buzz. [Internet]. Infographic: Mobile Statistics, Stats & Facts 2011. 2011. [cited 2012 July 25]. Available from: http://www.digitalbuzzblog.com/2011-mobile-statistics-stats-facts-marketinginfographic/ 6. Dropbox ® (Service). [Internet]. 2012. Wikipedia. [cited 2012 June 5]. Available from: http://en.wikipedia.org/wiki/Dropbox _%28service%29 7. Garfinkel, SL. 2010. Digital forensics research: The next 10 years. Journal of Digital Investigation 7:64-73. 8. Hoog A. 2011. Android forensics: Investigation, analysis, and mobile security for Google Android. 1st Ed. Massachusetts. Syngress. p. 102-20. 9. OS X [Internet]. 2012. Wikipedia; [cited 2012 June 5]. Available from: http://en.wikipedia.org/wiki/OS_X 10. Pew Internet. [Internet]. Nearly Half of American Adults are Smartphone Owners. 2012. [cited 2012 July 23]. Available from: http://pewinternet.org/Reports/2012/Smartphone-Update-2012.aspx 11. Phonedog. [Internet]. Number of U.S. Smartphone Subscribers Surpass 100 million, Says ComScore. 2012. [cited 2012 June 25]. Available from: http://www.phonedog.com/2012/03/08/number-of-u-s-smartphone-subscribers-surpasses-100-millionsays-comscore/ 12. PC Mag. [Internet]. Smartphone App Downloads Jump 28 Percent 2011. [cited 2012 June 26]. Available from: http://www.pcmag.com/article2/0,2817,2404502,00.asp 13. Vidas, T., Zhang, C., and C. Nicolas. 2011. Toward a general collection methodology for Android devices. Journal of Digital Investigation 8:14-24. Acknowledgements The author thanks Christopher Vance, Dr. Terry Fenger, Dr. Pamela Staton, and Josh Brunty from the Marshall University Forensic Science Center for their guidance and instruction, as well as Special Agent in Charge Jenniffer Price, Lead Criminal Analyst Tim Lokrantz, and Criminal Analysts Mark Howard, Chris Kendrex, Florian Berger, Toby Carlson, and Christine Byars at the Department of Justice’s Division of Criminal Investigation Computer Forensics Unit in Wisconsin. Dropbox Information Username: misde.ethan@me.com Dropbox® ID: 83845009 Table 2. Recovered Dropbox® files and user information from the Android emulator after analyses with FTK and Physical Analyzer software.